authorizationPolicy resource type

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents a policy that can control Azure Active Directory authorization settings. It's a singleton that inherits from base policy type, and always exists for the tenant.


Method Return Type Description
Get authorizationPolicy authorizationPolicy Read the authorizationPolicy object.
Update authorizationPolicy None Update the authorizationPolicy object.


Property Type Description
allowedToSignUpEmailBasedSubscriptions Boolean Indicates whether users can sign up for email based subscriptions.
allowedToUseSSPR Boolean Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant.
allowEmailVerifiedUsersToJoinOrganization Boolean Indicates whether a user can join the tenant by email validation.
allowInvitesFrom allowInvitesFrom Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. See more in the table below.
allowUserConsentForRiskyApps Boolean Indicates whether user consent for risky apps is allowed. We recommend to keep this as false.
blockMsolPowerShell Boolean To disable the use of the MSOnline PowerShell module set this property to true. This will also disable user-based access to the legacy service endpoint used by the MSOnline PowerShell module. This does not affect Azure AD Connect or Microsoft Graph.
defaultUserRolePermissions defaultUserRolePermissions Specifies certain customizable permissions for default user role.
description String Description of this policy.
displayName String Display name for this policy.
enabledPreviewFeatures String collection List of features enabled for private preview on the tenant.
guestUserRoleId Guid Represents role templateId for the role that should be granted to guest user. Refer to List unifiedRoleDefinitions to find the list of available role templates. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
id String ID of the authorization policy. Required. Read-only.
permissionGrantPolicyIdsAssignedToDefaultUserRole String collection Indicates if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permission for users to grant consent. Values should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled.

allowInvitesFrom values

Member Description
none Prevent everyone, including admins, from inviting external users. Default setting for US Government.
adminsAndGuestInviters Allow members of Global Administrators, User Administrators, and Guest Inviter roles to invite external users.
adminsGuestInvitersAndAllMembers Allow the above admin roles and all other User role members to invite external users.
everyone Allow everyone in the organization, including guest users, to invite external users. The default setting for all cloud environments except US Government.



JSON representation

The following is a JSON representation of the resource.

   "id": "String (identifier)",
  "description": "String",
  "displayName": "String",
  "enabledPreviewFeatures": "[String]",
  "guestUserRoleId": "Guid",
  "allowUserConsentForRiskyApps": false,
  "blockMsolPowerShell": true,
  "defaultUserRolePermissions": {"@odata.type": "microsoft.graph.defaultUserRolePermissions"},
  "allowedToUseSSPR": true,
  "allowedToSignUpEmailBasedSubscriptions": true,
  "allowEmailVerifiedUsersToJoinOrganization": true,
  "allowInvitesFrom": "String",
  "permissionGrantPolicyIdsAssignedToDefaultUserRole": "[String]"